Conventionally, information processing systems where processes are hierarchically shared by a plurality of computers have been used (such systems are also referred to as hierarchical systems). As a hierarchical network, a three-layer hierarchical system has been known in the art. The three-layer hierarchical system includes a Web server for providing an interface for system utilization, an Application (AP) server for executing a process on the system, and a Database (DB) server for managing data. These servers cooperate with one another to execute a process in response to a process request from the user and then fulfill the process request. In this way, the reliability and response of the system will be improved by causing the respective computers to share the process.
Many information process systems handle confidential information, such as personal information and trade secret information. Therefore, proper protective measures, such as prevention against fraudulent acquisition of confidential information and prevention against alteration, have been desired. Thus, a network connected to servers to be protected may be provided with an Intrusion Detection System (IDS). The IDS compares communication data acquired from the network with previously registered patterns of unauthorized (or normal) information to detect unauthorized access to the relevant server or network.
On the other hand, when a registered user or an impersonator properly accesses the system, the IDS cannot detect the access as an unauthorized one. This is because the impersonator holds a proper ID or password and is capable of accessing the system without following any unauthorized procedure. However, the registered user or the like may manipulate data improperly. Thus, there is a technology for detecting unauthorized access by monitoring the manipulation of a database.
Here, in the hierarchical system, a process is shared by servers installed on the respective hierarchical layers. Thus, when unauthorized access to a database is detected, a series of communications (communication sequences) may be identified by tracking the communications related to the unauthorized access to identify the access source (for example, the accessing user or a terminal device). By identifying the communication sequence, for example, the access source can be identified, for example, from the history of access to the Web server. As a result, it becomes possible to appropriately manage the access source.
However, various application programs designed uniquely may be introduced into the hierarchical system to realize the functions of the respective layers. In this case, each application program manages communication data in a unique way. Thus, even if unauthorized access to a database is detected, it is difficult to trace the communication data in the massive amounts of communication data to identify the communication sequence of the unauthorized access.